Solutions for Privacy Compliance
Privacy Compliance for California Nonprofits & Small Businesses
Disclaimer: This post provides general information about privacy considerations and compliance options for websites. It is not legal advice, and we are not attorneys. Privacy laws are complex and evolving, and their application depends on your specific circumstances. For legal guidance on compliance with CIPA, CCPA/CPRA, GDPR, or other privacy regulations, please consult with a qualified attorney. The recommendations here reflect our experience as web developers working with nonprofits and small businesses, not legal counsel.
Understanding the Privacy Landscape
California has several privacy laws that may affect your website, and understanding which ones apply to you helps you make informed decisions about your privacy practices.
CCPA/CPRA: Revenue and Size Thresholds
The California Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), give California residents more control over how their personal data is collected and shared.
When the CCPA/CPRA Applies:
According to the California Attorney General, the CCPA generally applies to for-profit businesses that do business in California and meet one or more of these thresholds:
- Annual gross revenues over $25 million
- Buying, selling, or sharing the personal information of 100,000 or more California consumers, households, or devices per year
- Deriving 50% or more of annual revenue from selling personal information
Do Nonprofits Have to Comply?
The Attorney General confirms that “the CCPA generally does not apply to nonprofit organizations or government agencies.” (FAQ 6)
However, a nonprofit may still be subject to these laws if it is controlled by, shares branding with, or shares consumer data systems with a for-profit entity that meets the thresholds above.
CIPA: A Different Set of Rules
The California Invasion of Privacy Act (CIPA) is a separate law that operates differently from CCPA/CPRA. Originally enacted in 1967 to prevent wiretapping, CIPA is increasingly being applied to website tracking technologies.
Key differences from CCPA/CPRA:
- No revenue or size thresholds – CIPA can apply to any website accessible to California residents
- Requires opt-in consent – Users must consent before tracking begins (not opt-out after)
- Focuses on third-party tracking – Primarily concerns data shared with external parties like Google Analytics, Meta Pixel, etc.
- Private lawsuits – Individuals can sue directly, with statutory damages
Recent lawsuits have targeted websites using Google Analytics and other third-party tracking tools without obtaining consent first. While the law is still being interpreted by courts, it’s worth understanding when making decisions about your website’s tracking tools.
Why Privacy Transparency Matters
Even if your organization isn’t legally required to comply with CCPA/CPRA, if your website uses analytics, donation tools, video embeds, or email platforms, you’re still participating in data collection.
Here’s why transparency matters:
- Vendor requirements: Many vendors’ terms of service require you to disclose cookies and tracking
- User expectations: Visitors increasingly expect to understand and control their data
- Trust building: Following privacy best practices builds trust with your audience
- Future-proofing: Privacy laws continue to evolve; good practices now prepare you for changes ahead
- Legal considerations: CIPA applies more broadly than CCPA/CPRA, without revenue thresholds
Understanding Third-Party Data Collection
Embedding third-party tools (like YouTube, Vimeo, Mailchimp, Google Analytics, or PayPal) does not automatically make your nonprofit a “business” under the CCPA, but it does mean your site is helping collect data that California law considers personal information — such as IP addresses, device IDs, and browsing behavior.
Even if you’re exempt from CCPA, you still have contractual and transparency obligations under your vendors’ terms. Most major platforms require that you:
- Disclose their tracking in your privacy policy
- Provide opt-out or consent options for users
- Avoid loading non-essential scripts before consent where possible
Vendor references:
- Vimeo Privacy Policy – Data Collected via Embedded Players
- YouTube Cookies and Data Collection
- Google Analytics Data & Privacy Overview
- California Privacy Protection Agency FAQ – “Sharing” Definition
Third-Party Tracking and CIPA
Under CIPA, the distinction between first-party and third-party tracking becomes more important:
- First-party tracking: Data collected and stored on your own server (like server logs or WordPress-native analytics) presents less legal concern
- Third-party tracking: Data sent to external services (Google Analytics, Meta Pixel, etc.) is the primary focus of recent lawsuits
CIPA cases focus on whether third parties “intercept” or “eavesdrop on” communications between users and websites. When you load Google Analytics or similar tools, data about user behavior is transmitted to those third parties—and CIPA requires consent before that transmission occurs.
What Happens When You Use Embedded Videos or Third-Party Tools
Embedding videos, forms, or widgets can trigger data collection that you are responsible for disclosing.
Embedded Videos (YouTube, Vimeo)
Video players may collect IP addresses, device/browser data, and usage tracking across websites. See Vimeo’s Analytics FAQ for details.
Analytics + Embeds = Tracking
When you combine analytics, embeds, and social-sharing widgets, your site almost certainly uses cookies.
Under California law, that can count as “sharing” personal information. (Cal. Civ. Code § 1798.140(ad))
That’s why cookie consent isn’t just for e-commerce—it’s about transparency and respect for user choice.
Best Practices for Privacy Compliance
Whether legally required or not, these practices protect your organization and build trust with your users:
- Provide clear notice via your privacy policy and cookie banner
- Obtain consent before loading third-party tracking (especially important for CIPA)
- List vendors (Google Analytics, Vimeo, Mailchimp, PayPal, etc.) and describe what each collects
- Allow meaningful opt-outs of non-essential cookies and tracking
- Consider privacy-first alternatives that don’t require consent
Two Approaches to Privacy Compliance
Approach 1: Remove Unnecessary Tracking
The most straightforward path to compliance is removing tracking tools you’re not actively using:
- Switch to privacy-first analytics: Tools like Independent Analytics (WordPress-native) collect data on your own server without third-party tracking—no consent banner needed
- Remove unused pixels: If you’re not running active ad campaigns, remove Meta Pixel or other advertising trackers
- Host fonts locally: Instead of loading Google Fonts from Google’s servers, host them on your own site
- Audit third-party tools: Remove chat widgets that receive no inquiries, social sharing buttons you don’t need, etc.
This approach eliminates CIPA concerns entirely for those tools, simplifies your privacy policy, and often improves site performance.
Approach 2: Implement Proper Consent Management
If you genuinely need third-party tracking tools like Google Analytics:
1. Cookie Banner / Consent Manager
- Notify users of cookies or tracking before they load
- Explain their purpose (analytics, embeds, donations)
- Actually block scripts until consent is given (not just display a notice)
- Provide clear opt-out options
2. Up-to-Date Privacy Policy
- Describe your use of cookies and third-party tools
- List all vendors and data collected/shared
- Explain how users can disable cookies or tracking
- Keep policies current as you add or remove tools
Managing Privacy Policies: Free vs. Paid Options
Option 1: Termageddon (Recommended)
Termageddon (~$12/month) offers comprehensive privacy compliance:
- Auto-updating privacy and cookie policies as laws change
- Cookie consent banner powered by Usercentrics technology that actually blocks tracking
- CIPA-aware compliance: Built to address current California privacy requirements
- Guided onboarding to tailor for your specific tools and data flows
- Less manual maintenance and better long-term coverage
Why we recommend it: The consent banner actually blocks scripts from loading until users consent—a critical requirement for CIPA compliance. Many free cookie banners just display a notice while still loading tracking tools.
Sign up: policies.termageddon.com/register
- Use promo code MINNOW for 10% off your first payment
- After you sign up, schedule free onboarding: termageddon.com/onboarding/
- We can help you integrate the policies and consent manager into your website
Option 2: CookieYes (Free Version)
- Free cookie banner that can block scripts until consent
- Requires manual privacy-policy updates
- Free tier capped at 5,000 monthly page views (as of July 1, 2025)
- Best for very small or low-traffic sites
Sign up: https://www.cookieyes.com/
- Create your banner: https://www.cookieyes.com/documentation/add-cookie-banner-to-website/
- We can help you integrate the policies and consent manager into your website
Important note: Test any consent solution to ensure it actually blocks tracking scripts from loading, not just displays a notice. This is essential for CIPA compliance.
Privacy Compliance Checklist
- [ ] Audit your current tracking: What cookies and third-party tools does your site use?
- [ ] Evaluate necessity: Are you actually using the data from each tracking tool?
- [ ] Consider privacy-first alternatives: Can you switch to tools that don’t require consent?
- [ ] If keeping third-party tracking:
- [ ] Implement a consent banner that blocks scripts until consent is given
- [ ] Publish a clear, current privacy policy
- [ ] List all third-party vendors and data collected
- [ ] Test that tracking doesn’t load until users consent
- [ ] Update annually – or use auto-updating Termageddon
- [ ] Review vendor terms for privacy requirements
Our Recommendations
Based on our experience working with California nonprofits and small businesses:
For Most Organizations:
Consider privacy-first analytics first. Tools like Independent Analytics provide the insights you need without third-party tracking concerns. This eliminates the need for consent banners (for analytics) and simplifies your entire privacy approach.
If You Need Third-Party Tracking:
Implement proper consent management. We recommend Termageddon because:
- It handles both privacy policies and consent banners
- It actually blocks tracking until consent (not all tools do this)
- It stays current as laws evolve
- It’s built by attorneys who understand privacy law
For All Sites:
Remove tracking you’re not using. This is the simplest form of compliance—not tracking things you don’t need in the first place.
Understanding CIPA Compliance
Since CIPA is relatively new in the website context, here are the key requirements:
Consent must come before tracking begins. This means cookie consent tools must actually block scripts from loading, not just display a notice. Many free cookie banner plugins don’t do this properly.
First-party vs. third-party matters. CIPA concerns focus primarily on third-party tracking—data sent to external servers like Google or Facebook. First-party tools (data that stays on your server) present less concern.
Clear privacy disclosures are essential. Your privacy policy should clearly explain what tracking technologies you use, what data they collect, and who receives that data.
For more technical details on CIPA, see Termageddon’s CIPA Guide.
Final Thoughts
Privacy compliance doesn’t have to be overwhelming. The key steps are:
- Understand what you’re currently tracking
- Decide if you really need all of it (often you don’t)
- Choose privacy-first alternatives where possible
- For remaining third-party tools, implement proper consent
We’re here to help you think through these decisions based on your specific needs, budget, and goals. Whether you’re required to comply by law or simply want to respect your users’ privacy, implementing these practices builds transparency, trust, and long-term resilience as privacy expectations continue to evolve.
Related reading:
